Date: Thu, 8 Oct 2015 14:29:30 +0200 From: Matthijs Kooijman <matthijs@...in.nl> To: oss-security@...ts.openwall.com Cc: alejandro@...ian.org, kevin@...nke.ca Subject: CVE request - perl library UI::Dialog 1.09 - shell escaping vulnerability Hi folks, can you please assign a CVE for the UI::Dialog perl library? I (re)discovered a flaw that allows arbitrary command execution when the library is given untrusted strings to show in a menu prompt. The flaw was initially reported in 2008 at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496448 but it seems this never reached upstream. I recently reported the bug upstream https://rt.cpan.org/Public/Bug/Display.html?id=107364, see that report for some additional details. Upstream has indicated to be working on a fix (see upstream bug), but no patches are available yet. Impact seems limited, I'm not aware of any well-known programs that use this library and are vulnerable (only two Debian packages depend on it, both use a UI::Dialog backend that is unaffected). Thanks, Matthijs Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ